We just went through a whole lockdown and restore process for our Joomla process and I just scanned our code with a google fetch through webmaster tools and here is what I am seeing in the head of my homepage:

What forum module are you using? It's possible that another module might accept an export from the older forum module you're using in Joomla 1.5.

You're SOL when it comes to Joomla 1.5 and security. Support for it was dropped at the end of 2012. Meaning, any new bugs or security flaws that have been discovered since then will remain unpatched. It's a risky move to continue running an unsupported CMS version.

Joomla, and especially the 1.5 branch, has been infamous for its security issues.

force
—
2013-06-20T21:28:35Z —
#3

You'll have to restore the files and database from a backup to a point before when the hack occurred.

Typically, there's been some code injected into various PHP files. It's difficult to check all the PHP files by hand for the code that's been injected, especially if it's something you're unfamiliar with. There's also the possibility that your database was messed with as well. Hence, my recommendation to restore from a backup.

As for preventing this from happening again...change your control panel password, your user/FTP passwords, your database passwords, make sure your web files are set to 644 permissions, and don't use Joomla 1.5.x.

NelsonDesigns
—
2013-06-21T11:52:34Z —
#4

We did do a complete restore on the web files but not the database can meta data overrides like this be coming from the actual database?

UpReseller
—
2013-06-24T05:39:00Z —
#5

I guess it comes from template file with security issue. You should check with your hosting provider about it.